I'm going to start by mentioning that I'm new to solaris. I've mostly been an archlinux user thus far. Now I've built a new fileserver and decided to run solaris because I felt that ZFS had a lot to offer, and I'm playing with the idea of moving my webserver into a zone on this new box in order to take the dedicated system offline as it's underutilized.

Now the main things I need so far are kerberos for active directory integration, and smb for file sharing, this seems fairly simple to me, and nothing I haven't done on a typical Linux system

but I'm having problems. getting things going has not been as painless as I expected, I've hit a learning curve so to speak and I'm having a few issues.

I'm going to start with winbind.

How do I configure the nsswitch.conf so that it doesn't get reset after I reboot the system?

everytime I boot, I have to reconfigure it, and restart winbind in order to get anything listed with getent

the other thing there, is when I run getent passwd, I see my AD users listed. but when I run getent group, I only see the local groups, nothing from AD appears

I too recently switched to Solaris from Linux/Ubuntu mostly for zfs, stable iscsi and stability in general. One of the first things I had to learn, was the Solaris has a tool to modify almost every configuration file. You should never touch any of them directly anymore. Lots of sites on the internet still tell you to modify stuff like nsswitch.conf, resolve.conf directly, but thats wrong.

You may have also had a problem getting DNS to resolve also for cmd line tools. The program 'svccfg' is the tool to modify nsswitch, dns client, ect.

I also successfully got Solaris 11, its native SMB server and LDAP client working to serve up shares authenticated by the domain and using ACLs that windows sets. I can provide some help on that if you get stuck.

I'm not too familiar with winbind on Solaris 11. I used the built in ldapclient and the built-in SMB server instead of SAMBA. And quite honestly its run way better than winbind/samba on another linux machine where I have it setup.

Given that users are listed, it seems things are working, however the mappings for groups may not be setup right? Does your Samba configuration include something similar to this?

yes, I do have that in my smb.conf. I don't have the uid and gid sections, when I ran testparm it said those were deprecated so i cut them out. One issue i'm seeing from my AD server though, is that it doesn't seem to broadcast the host name at all. I can type in the path to \\srv-data\ and access shares, but I don't see it on the network from the AD server or my other linux machine, or mac systems

Now if there is a better way to configure all this withthe built in smb server, i'm all ears. I tried the kclient wizard, but it was giving me errors, I will happily start over if that is the better way to do it.

+Would you like to delete any sub-object found for this computer account ? [y/n]: y+Looking to see if the machine account contains other objects...Creating the machine account in AD via LDAP.

Warning: unable to create DNS records for client.This could mean that 'srv-ad.sergeinc.org' is not included as a 'nameserver' in the /etc/resolv.conf file or some other type of error.---------------------------------------------------Setup COMPLETE.

so that all seemed well.....but then after a reboot....

solaris@srv-data:~$ cat /etc/nsswitch.conf

+#+
+# AUTOGENERATEDFROM_SMF_V1_+
+#+
+# WARNING: THIS FILE GENERATED FROM SMF DATA.+
+# DO NOT EDIT THIS FILE. EDITS WILL BE LOST.+
+# See nsswitch.conf(4) for details.+

I referred back to this blog again and got my shares working using the built in methods. so i disabled and uninstalled samba, leaving just smb
https://blogs.oracle.com/paulie/entry/cifs_sharing_on_solaris_11

now i was able to reboot, and the shares stayed shared....my only issue is now i can't log in remotely....i hope it's just remotely....

Glad you got that working. For the login, you'll need to get the ldapclient connected to the AD server for uid/guid lookups. Also for kerberos, once you've joined Samba to the domain, smbadm join -u [user] [domain], then you can just call 'kinit'. This will get a ticket, make sure your solaris clock is matched with domain clock as much as possible.

You'll probably want to stop the winbind service before doing these steps.

Here is a page about solaris 10 and AD, you can ignore most of it, but the ldapclient manual configuration is what you will want to use.
http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/

You don't need to touch the kerberos files, the kinit will take care of that. One thing to note, after you run a successful ldapclient manual configuration, it will replace your nsswitch entries with "files ldap" for everything. You will need to re-add dns to the hosts and ipnodes.

Once that is done, getent passwd and getent groups should now show just as they did with winbind.

To handle logins however, you need to add the ldap module to the pam modules. in /etc/pam.d/ modify login, other, passwd, ppp, rlogin, rsh to include "auth sufficient pam_ldap.so.1" at the bottom.

Now SMB and ssh will be able to authenticate.

To get the first share working properly, you will need to modify it with the right ACLs so your domain admins or whichever login you want to use can create new folders ect.
use idmap to get the ID number to pass in to the ACL.

In this case I want to give myself toms full access to the first share, then I can just use the windows explorer dialog to modify the security later.

#chmod A+user:2147491841:full_set:allow /tank/smb/public

You need to make sure you have the UNIX plugin to AD installed so AD is the one handling the uid/gids of the AD people connecting. Come to think of it, its possible that was the issue with your winbind not showing groups. If the group doesn't have a GID assigned to it by AD, then it will not show in getent groups. If you do not see a user or a group showing up now, it is probably that issue.

You'll know if you have the UNIX tools installed if you see a "UNIX Attributes" tab in the properties window of a user or group from the "Active Directory Users and Groups".

When you try and SSH in with an AD user, it will user the "home directory" field from the UNIX Attributes tab to try and create the home folder for. You need to use the auto_home file to be able to mount the proper locations for them. Other wise SSH will not let you log in. I get this when trying to SU to an AD user:

Just a thought, if you haven't already re-installed. At the grub boot menu, you will have some backup boot images if any updates have been installed. Select the prior one and it will load the earlier version of rpool with the intact PAM files. Which you can then maybe copy to the current rpool snapshot.

that's when I tried single user mode and booting from the DVD, that's when I started referring to the doc below, and other similar docs, when I didn't get anywhere in a timely fashion, I gave up and started reinstalling the OS this morning before I left for work.

http://docs.oracle.com/cd/E19253-01/819-5461/gjpna/index.html

I was able to ssh to it from work on my "lunch break" and do most of the configuration from there. DNS is set, I went through kclient, got my samba shares up. Now it's just a matter of configuring ldap which I've never done yet and may find a tad tedious, and finally tweaking the permissions for my shares.

One thing I don't understand, does the built in smb.conf still use the smb.conf? I had a umask set on one of my shares to set everything to 777 as it was just an open free for all share. can I still do that?